Important: Symantec will be replacing VIP Services web SSL certificates on January 14, 2020 beginning at 10:00PM GMT / 2:00PM PST (see Required upgrade for Symantec VIP Services). To facilitate this change, VIP AD FS integration modules must be upgraded to version 9.9 prior to this date. The updated plugin is now available for download from VIP Manager.
This article contains instructions for upgrading the AD FS plugin module. Please refer to the integration guide for specific requirements
An error can occur if the old hierarchy is used, causing AD FS authentication failures due to the certificate mismatch.
Important considerations before upgrading:
Users will not have access to AD FS services during this upgrade. To avoid downtime, route authentication traffic through a temporary AD FS server during the upgrade. After the upgrade is complete, route authentication traffic back through the upgraded AD FS servers and remove the temporary AD FS server.
All AD FS servers within a farm must use the same version of the VIP integration module. If a plugin version mismatch between members is detected, VIP multi-factor authentication will not function.
Create a backup of the ADFS Installation folder (C:\Program Files\Symantec\ADFS3 or C:\Program Files\Symantec\ADFS).
Create a backup of the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\ADFS3.0
Download the latest AD FS plug-in from VIP Manager. (VIP Manager>Account>Download Files>Third Party Integrations>Plugins>Active_Directory_Federation_Services.zip). The plugin version is indicated in the version.txt file.
Install and configure the AD FS Plug-in. Configure with the same VIP User ID from step 4. If the ADFS plug-in is installed and configured in a multi-server deployment (i.e., AD FS server farm), the secondary AD FS server will show the Windows Account Name as the VIP User ID by default. However, The VIP User ID attribute on the secondary server(s) cannot be modified. The VIP User ID configured on the primary ADFS server will be used.
Verify the version 9.9 DLL datestamps are 5 Nov 2019:
Note: This initial ADFS 9.9 plugin will appear in the Windows programs list as version 9.8. This is expected for this release. Please use the DLL file datestamps to verify.
To verify ADFS MFA is using the VIP 9.9 plugin is installed and functioning, check the VIP plugin logs on each ADFS server (i.e., \Program Files\Symantec\ADFS). Authentication request IDs will contain the prefix ADFS_9_9. For example: 12/11/2019 2:09:46 PM : User TESTUSER authentication successful, Request ID: ADFS_9_9_0_192_168_1_60_12345.
If your organization cannot immediately install the latest AD FS plug-in, certificate pinning can be temporarily disabled. The following steps are recommended as a temporary workaround only until such time the VIP plugin can be upgraded to version 9.9.